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Abstract — Cyber-physical systems integrate computation, com- 
munication, and physical capabilities to interact with the physical 
world and humans. Besides failures of components, cyber- 
physical systems are prone to malignant attacks, and specific 
analysis tools as well as monitoring mechanisms need to be 
developed to enforce system security and reliability. This paper 
proposes a unified framework to analyze the resilience of cyber- 
physical systems against attacks cast by an omniscient adversary. 
We model cyber-physical systems as linear descriptor systems, 
and attacks as exogenous unknown inputs. Despite its simplicity, 
our model captures various real-world cyber-physical systems, 
and it includes and generalizes many prototypical attacks, in- 
cluding stealth, (dynamic) false-data injection and replay attacks. 
First, we characterize fundamental limitations of static, dynamic, 
and active monitors for attack detection and identification. 
Second, we provide constructive algebraic conditions to cast 
undetectable and unidentifiable attacks. Third, by using the 
system interconnection structure, we describe graph-theoretic 
conditions for the existence of undetectable and unidentifiable 
attacks. Finally, we validate our findings through some illustra- 
tive examples with different cyber-physical systems, such as a 
municipal water supply network and two electrical power grids. 



I. Introduction 

Cyber-physical systems arise from the tight integration of 
physical processes, computational resources, and communi- 
cation capabilities. More precisely, processing units monitor 
and control physical processes by means of sensors and actu- 
ators networks. Examples of cyber-physical systems include 
transportation networks, power generation and distribution 
networks, water and gas distribution networks, and advanced 
communication systems. Due to the crucial role of cyber- 
physical systems in everyday life, cyber-physical security 
needs to be promptly addressed. 

Besides failures and attacks on the physical infrastructure, 
cyber-physical systems are also prone to cyber attacks on their 
data management and communication layer. Recent studies 
and real-world incidents have demonstrated the inability of 
existing security methods to ensure a safe and reliable func- 
tionality of cyber-physical infrastructures against unforeseen 
failures and, possibly, external attacks Q] - |5)- The protection 
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of critical infrastructures is, as of today, one of the main focus 
of the Department of Homeland Security J5). 

Concerns about security of control systems are not new, 
as the numerous manuscripts on systems fault detection, 
isolation, and recovery testify; see for example [6|, [7]. Cyber- 
physical systems, however, suffer from specific vulnerabilities 
which do not affect classical control systems, and for which 
appropriate detection and identification techniques need to 
be developed. For instance, the reliance on communication 
networks and standard communication protocols to transmit 
measurements and control packets increases the possibility 
of intentional and worst-case (cyber) attacks against physical 
plants. On the other hand, information security methods, 
such as authentication, access control, message integrity, and 
cryptography methods, appear inadequate for a satisfactory 
protection of cyber-physical systems. Indeed, these security 
methods do not exploit the compatibility of the measurements 
with the underlying physical process and control mechanism, 
which are the ultimate objective of a protection scheme (8). 
Moreover, such information security methods are not effective 
against insider attacks carried out by authorized entities, as in 
the famous Maroochy Water Breach case (3), and they also fail 
against attacks targeting directly the physical dynamics J9). 
Related work. The analysis of vulnerabilities of cyber- 
physical systems to external attacks has received increasing 
attention in the last years. The general approach has been 
to study the effect of specific attacks against particular sys- 
tems. For instance, in [ 10] deception and denial of service 
attacks against a networked control system are introduced, 
and, for the latter ones, a countermeasure based on semi- 
definite programming is proposed. Deception attacks refer to 
the possibility of compromising the integrity of control packets 
or measurements, and they are cast by altering the behavior 
of sensors and actuators. Denial of service attacks, instead, 
compromise the availability of resources by, for instance, jam- 
ming the communication channel. In false data injection 
attacks against static state estimators are introduced. False 
data injection attacks are specific deception attacks in the 
context of static estimators. It is shown that undetectable false 
data injection attacks can be designed even when the attacker 
has limited resources. In a similar fashion, stealthy deception 
attacks against the Supervisory Control and Data Acquisition 
system are studied, among others, in p2| , fTT) . In [14) the 
effect of replay attacks on a control system is discussed. 
Replay attacks are cast by hijacking the sensors, recording 
the readings for a certain amount of time, and repeating such 
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readings while injecting an exogenous signal into the system. 
It is shown that this type of attack can be detected by injecting 
a signal unknown to the attacker into the system. In p3| 
the effect of covert attacks against networked control sys- 
tems is investigated. Specifically, a parameterized decoupling 
structure allows a covert agent to alter the behavior of the 
physical plant while remaining undetected from the original 
controller. In fl6[ a resilient control problem is studied, in 
which control packets transmitted over a network are corrupted 
by a human adversary. A receding-horizon Stackelberg control 
law is proposed to stabilize the control system despite the 
attack. Recently the problem of estimating the state of a linear 
system with corrupted measurements has been studied fT7) . 
More precisely, the maximum number of faulty sensors that 
can be tolerated is characterized, and a decoding algorithm is 
proposed to detect corrupted measurements. Finally, security 
issues of some specific cyber-physical systems have received 
considerable attention, such as power networks (T), (2), (9), 
1 12 1, 1 18 1-|22|, linear networks with misbehaving components 
(23), (24J, and water networks (3), (13), (B), (25). 
Contributions. The contributions of this paper are as fol- 
lows. First, we describe a unified modeling framework for 
cyber-physical systems and attacks. Motivated by existing 
cyber-physical systems and proposed attack scenarios, we 
model a cyber-physical system under attack as a descriptor 
system subject to unknown inputs affecting the state and 
the measurements. For our model, we define the notions 
of detectability and identifiability of an attack by its effect 
on output measurements. Informed by the classic work on 
geometric control theory (26[ , our framework includes the 
deterministic static detection problem considered in (TT), 1 12 
and the prototypical deception and denial of service 1 10 
stealth [18], (dynamic) false-data injection [27], replay 1 14 
and covert attacks [15| as special cases. Second, we show 
the fundamental limitations of static, dynamic, and active 
detection and identification procedures. Specifically, we show 
that static detection procedures are unable to detect any 
attack affecting the dynamics, and that attacks corrupting 
the measurements can be easily designed to be undetectable. 
On the contrary, we show that undetectability in a dynamic 
setting is much harder to achieve for an attacker. Specifi- 
cally, a cyber-physical attack is undetectable if and only if 
the attackers' signal excites uniquely the zero dynamics of 
the input/output system. Additionally, we show that active 
monitors capable of injecting test signals are as powerful 
as dynamic (passive) monitors, since an attacker can design 
undetectable and unidentifiable attacks without knowing the 
signal injected by the monitor into the system. This analysis 
bring us also to the conclusion that undetectable attacks can 
be cast even without knowledge of system noise. Third, we 
provide a graph theoretic characterization of undetectable 
attacks. Specifically, we borrow some tools from the theory of 
structured systems, and we identify conditions on the system 
interconnection structure for the existence of undetectable 
attacks. These conditions are generic, in the sense that they 
hold for almost all numerical systems with the same structure, 
and they can be efficiently verified. As a complementary result, 
we extend a result of [28] on structural left-invertibility to 



regular descriptor systems. Fourth and finally, we illustrate the 
potential impact of our theoretical findings through compelling 
examples. In particular, we design (i) an undetectable state 
attack to destabilize the WSSC 3-machine 6-bus power system, 
(ii) an undetectable output attack for the IEEE 14 bus system, 
and (iii) an undetectable state and output attack to steal water 
from a reservoir of the EPANET network model 3. Through 
these examples we show the advantages of dynamic monitors 
against static ones, and we provide insight on the design of 
attacks. 

Paper organization. The remainder of the paper is organized 
as follows. Section [II] presents some examples of cyber- 
physical systems. Section III contains our models of cyber- 
physical systems, attacks, and monitors. Our main results are 
presented in Section |IV] and in Section [V] In particular, in 
Section |IV] we describe the fundamental limitations of static, 
dynamic, and active detectors, and we provide constructive 
algebraic conditions for the existence of undetectable and 
unidentifiable attacks. In Section [V] instead, we derive graph- 
theoretic conditions for the existence of undetectable and 



unidentifiable attacks. Finally, Section [VI] and Section VII 



tain, respectively, our illustrative examples and our conclusion. 

II. Examples of cyber-physical systems 

We now motivate our study by introducing important cyber- 
physical systems requiring advanced security mechanisms. 

A. Power networks 

Future power grids will combine physical dynamics with a 
sophisticated coordination infrastructure. The cyber-physical 
security of the grid has been identified as an issue of primary 
concern [ 1 1, [2|, which has recently attracted the interest of the 
control and power systems communities, see (12) , [18|-|22|. 

We adopt the small-signal version of the classical structure- 
preserving power network model; see (19) , p0| for a de- 
tailed derivation from the full nonlinear structure-preserving 
power network model. Consider a connected power network 
consisting of n generators {gi,...,g n } and m load buses 
{b n +i, ■ • ■ , b n +m}- The interconnection structure of the power 
network is encoded by a connected susceptance-weighted 
graph. The generators gi and buses hi are the vertex set of 
this graph, and the edges are the transmission lines {bi,bj} 
weighted by the susceptance between buses 6j and bj, as 
well as the connections {gi,bi} weighted by the transient 
susceptance between generator gi and its adjacent bus bi. 
The Laplacian associated with the susceptance-weighted graph 
is the symmetric susceptance matrix C = £ ™ c ^ G 
j^(n+m)x(n+m) ^ wnere j ne fj rs t n rows are associated with 
the generators and the last m rows correspond to the buses. 
The dynamic model of the power network is 

0-/0 
>Cgg jCgi 
Ag Cu 

(1) 

where 5(t) G W 1 and uj(t) € M. n denote the generator rotor 
angles and frequencies, and 0(t) £ M. m are the voltage angles 
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at the buses. The terms M s and D g are the diagonal matrices of 
the generator inertial and damping coefficients, and the inputs 
P u (t) and Pq (t) are due to known changes in mechanical input 
power to the generators or real power demand at the loads. 

B. Mass transport networks 

Mass transport networks are prototypical examples of cyber- 
physical systems modeled by differential-algebraic equations, 
such as gas transmission and distribution networks | |29[ , large- 
scale process engineering plants [30) , and water networks. 
Examples of water networks include open channel flows pTJ 
for irrigation purposes and municipal water networks |32|, 
[33 1 . The vulnerability of open channel networks to cyber- 
physical attacks has been studied in (13) , (15) , and municipal 
water networks are also known to be susceptible to attacks on 
the hydraulics [3| and biochemical contamination threats |25|. 

We focus on the hydraulics of a municipal water distribution 
network, as modeled in (32), (33). The water network can 
be modeled as a directed graph with node set consisting of 
reservoirs, junctions, and storage tanks, and with edge set 
given by pipes, pumps, and valves that are used to convey 
water from source points to consumers. The key variables 
are the pressure head hi at each node i in the network as 
well as the flows Qij from node i to j. The hydraulic model 
governing the network dynamics includes constant reservoir 
heads, flow balance equations at junctions and tanks, and 
pressure difference equations along all edges: 



reservoir i 
junction i 

tank i 

Pipe («, j) 
pump 
valve 



h, = h t reseimir = constant, 

E j E, 

Qij — Qij ^j) ) 



Qi 



(2) 



h j 
hi 



-Aft i / ump 



-Aft, 



valve 



= constant . 
constant . 



Here di is the demand at junction i, Ai is the (constant) cross- 
sectional area of storage tank i, and the notation "j — > i" 
denotes the set of nodes j connected to node i. The flow 
depends on the pressure drop ftj — hj along pipe according 



to the Hazen-Williams equation Qijihi 



9ij\hi 



hj] 1 ' 1 - 85_1 • [hi — hj), where > is the pipe conductance. 

Other interesting examples of cyber-physical systems cap- 
tured by our modeling framework are sensor networks, dy- 
namic Leontief models of multi-sector economies, mixed gas- 
power energy networks, and large-scale control systems. 

III. Mathematical Modeling Of Cyber-physical 
Systems, Monitors, and Attacks 

In this section we model cyber-physical systems under 
attack as linear time-invariant descriptor systems subject to 
unknown inputs. This modeling framework is very general 
and includes most of the existing cyber-physical models, 
attacks, and fault scenarios. Indeed, as shown in Section [II] 
many interesting real-world cyber-physical systems contain 
conserved physical quantities leading to differential-algebraic 
system descriptions, and, as we show later, most attack and 



fault scenarios can be modeled by additive inputs affecting the 
state and the measurements. 

Model of cyber-physical systems under attack. We consider 
the linear time-invariant descriptor system^] 

Ex(t) = Ax(t) + Bu(t), 
y(t) = Cx(t) + Du(t), 



(3) 



where x(t) € 
B e R" 



y(t) e 



C e 



v>, E e K 

and D e 



; ", A € R nxn , 
lP xm . Here the 



matrix E is possibly singular, and the input terms Bu(t) 
and Du(t) are unknown signals describing disturbances af- 
fecting the plant. Besides reflecting the genuine failure of 
systems components, these disturbances model the effect of 
an attack against the cyber-physical system (see below for 
our attack model). For notational convenience and without 
affecting generality, we assume that each state and output 
variable can be independently compromised by an attacker. 
Thus, we let B = [l,0] and D = [0,2] be partitioned 
into identity and zero matrices of appropriate dimensions, 
and, accordingly, u(t) = [u x (t) T , u y (t) T ~\ . Hence, the attack 
(Bu(t), Du(t)) — (u x (t),u y (t)) can be classified as state 
attack affecting the system dynamics and as output attack 
corrupting directly the measurements vector. 

The attack signal t h-> u(t) E R n+P depends upon the 
specific attack strategy. In the presence of k € No, k < n + p, 
attackers indexed by the attack set K C {1, . . . , n +p} only 
and all the entries K of u(t) are nonzero over time. To 
underline this sparsity relation, we sometimes use unit) to 
denote the attack mode, that is the subvector of u(t) indexed 
by K. Accordingly, the pair (Bk,Dk), where Bk and Dk 
are the submatrices of B and D with columns in K, to 
denote the attack signature. Hence, Bu[t) = BkUk^), and 
Du(t) = DKUK(t). Since the matrix E may be singular, we 
make the following assumptions on system d3j: 
(Al) the pair (E, A) is regular, that is, det(s_E — A) does not 

vanish identically, 
(A2) the initial condition x(0) £ R™ is consistent, that is, 

(Ax(0) + Bu(0)) _L Ker(£ T ) = 0; and 
(A3) the input signal u(t) is smooth. 

The regularity assumption (Al) assures the existence of a 
unique solution x(t) to (j3j. Assumptions (A2) and (A3) 
simplify the technical presentation in this paper since they 
guarantee smoothness of the state trajectory x{t) and the 
measurements y(t); see (34| Lemma 2.5] for further details. 
The degree of smoothness in assumption (A3) depends on 



the index of (E, A), see 1 35 Theorem 2.42], and continuity 
of u(t) is sufficient for the index-one examples presented in 
Section [II] In Section IV-E we discuss the results in this paper 
if assumptions (A2) and (A3) are dropped. 

Model of static, dynamic, and active monitors. A monitor 
is a pair ($,7(4)), where $ : A — > ^ is an algorithm, 



and 7 



tn+p 



is a signal. In particular, A is the 



1 The results stated in this paper for continuous-time descriptor systems hold 
also for discrete-time descriptor systems and nonsingular systems. Moreover, 
we neglect the presence of known inputs, since, due to the linearity of system 
{5J, they do not affect our results on the detectability and identifiability of 
unknown input attacks. 
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algorithm input to be specified later, ^> = {-0i, i/^}, with 
ipi € {True, False} and ^ C{1,,.., n+p}, is the algorithm 
output, and (Bj(t), D~f(t)) is an auxiliary input injected by 
the monitor into the system Q. In this work we consider the 
following classes of monitors for the system Q. 

Definition 1: (Static monitor) A static monitor is a monitor 
with 7(i) = V< € R> , and A = {C, y(i) Vt € N}. 

Note that static monitors do not exploit relations among 
measurements taken at different time instants. An example of 
static monitor is the bad data detector [36|. 

Definition 2: (Dynamic monitor) A dynamic monitor is 
a monitor with ^(t) — Vt € K>o> an d A = 
{i?, A, C, y(t) Vi e M> }. 

Differently from static monitors, dynamic monitors have 
knowledge of the system dynamics generating y(t) and may 
exploit temporal relations among different measurements. The 
filters defined in pT) are examples of dynamic monitors. 

Definition 3: (Active monitor) An active monitor is a 
monitor with j(t) ^ for some t £ R.>rj> an d A = 

{£,A,c,y(t)VieK> }. 

Active monitors are dynamic monitors with the ability of 
modifying the system dynamics through an input. An example 
of active monitor is presented in |14] to detect replay attacks. 
The objective of a monitor is twofold: 

Definition 4: (Attack detection) A nonzero attack 
(Bkuk^): DxUKit)) is detected by a monitor if ?/>i = True. 

Definition 5: (Attack identification) A nonzero attack 
(Bj(UK(t), DfcUfcit)) is identified by a monitor if tp 2 = K. 

An attack is called undetectable (respectively unidentifiable) 
by a monitor if it fails to be detected (respectively identified) 
by every monitor in the same class. Of course, an undetectable 
attack is also unidentifiable, since it cannot be distinguished 
from the zero attack. By extension, an attack set K is unde- 
tectable (respectively unidentifiable) if there exists an unde- 
tectable (respectively unidentifiable) attack (BkUk, DkUk)- 

Model of attacks. In this work we consider colluding omni- 
scient attackers with the ability of altering the cyber-physical 
dynamics through exogenous inputs. In particular we let the 
attack (Bu(t) , Du(t)) in Q be designed based on knowledge 
of the system structure and parameters E,A,C, and the full 
state x(t) at all times. Additionally, attackers have unlimited 
computation capabilities, and their objective is to disrupt the 
physical state or the measurements while avoiding detection. 

Remark 1: (Existing attack strategies as subcases) The 
following prototypical attacks can be modeled and analyzed 
through our theoretical framework: 

(i) stealth attacks defined in JT8) correspond to output 
attacks compatible with the measurements equation; 

(ii) replay attacks defined in fl4) are state and output 
attacks which affect the system dynamics and reset the 
measurements; 

(iii) covert attacks defined in (15) are closed-loop replay 
attacks, where the output attack is chosen to cancel out 
the effect on the measurements of the state attack; and 

(iv) (dynamic) false-data injection attacks defined in |27| are 
output attacks rendering an unstable mode (if any) of the 
system unobservable. 
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Fig. 1. A block diagram illustration of prototypical attacks is here 
reported. In Fig. |l(a)| the attacker corrupts the measurements y(t) with the 
signal Di(Ux(t) 6 im(C). Notice that in this attack the dynamics of the 
system are not considered. In Fig. |l(a)| the attacker affects the output so that 
y(t) = y(x(0), [u T K «JJ T , t) = y(t{0), 0, t). The covert attack in Fig. 1 1(c) 
is a feedback version of the replay attack, and it can be explained analogously. 
In Fig. |l(d)|the attack is such that the unstable pole p is made unobservable. 



A possible implementation of the above attacks in our model 
is illustrated in Fig. [T] □ 
To conclude this section we remark that the examples 
presented in Section [Ii] are captured in our framework. In 
particular, classical power networks failures modeled by ad- 
ditive inputs include sudden change in the mechanical power 



input to generators, lines outage, and sensors failure; see [21 1 
for a detailed discussion. Analogously, for a water network, 
faults modeled by additive inputs include leakages, variation in 
demand, and failures of pumps and sensors. Possible cyber- 
physical attacks in both power and water networks include 
comprising measurements fTT)-fT3) and attacks on the control 
architecture or the physical state itself (2), (3), (9), (22) . 

IV. Limitations of static, dynamic and active 

MONITORS FOR DETECTION AND IDENTIFICATION 

The objective of this section is to highlight fundamental 
detection and identification limitations of static, dynamic, and 
active monitors. In particular, we show that the performance 
of widely used static monitors can be greatly improved by 
exploiting the system dynamics. On the other hand, the pos- 
sibility of injecting monitoring signals does not improve the 
detection capabilities of a (passive) dynamic monitor. 

Observe that a cyber-physical attack is undetectable if there 
exists a normal operating condition of the system under which 
the output would be the same as under the perturbation due to 
the attacker. Let y(xo,u,t) be the output sequence generated 
from the initial state x under the attack signal u(t). 

Lemma 4.1: (Undetectable attack) For the linear descriptor 
system (j3j, the attack (Bkuk,DkUk) is undetectable by a 
static monitor if and only if y(x\ : UK ,t) = y(x2,0,t) for 
some initial condition Xi,X2 G M™ and for t 6 N . If the 
same holds for t € M>o, then the attack is also undetectable 
by a dynamic monitor. 

Lemma 14.11 follows from the fact that our monitors are 
deterministic, so that y(xi,ujc,t) and y(x2,0,t) lead to the 
same output ipi, A more general concern than detectability is 
identifiability of attackers, that is, the possibility to distinguish 
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from measurements between the action of two distinct attacks. 
We quantify the strength of an attack through the cardinality of 
the attack set. Since an attacker can independently compromise 
any state variable or measurement, every subset of the states 
and measurements of fixed cardinality is a possible attack set. 

Lemma 4.2: (Unidentifiable attack) For the linear descrip- 
tor system Q, the attack (BrUk, DkUk) is unidentifiable by 
a static monitor if and only if y(xi,UK,t) — y(x2,Uji ) t) for 
some initial condition X\,X2 € K n , attack (Brur,Drufi) 
with \R\ < \K\ and R ^ K, and for t € N . If the same 
holds for t E R>o, then the attack is also unidentifiable by a 
dynamic monitor. 

We now 



Lemma 4.2 follows analogously to Lemma 4.1 



elaborate on the above lemmas to derive fundamental detection 
and identification limitations for the considered monitors. 

A. Fundamental limitations of static monitors 



Following Lemma 4.1 an attack is undetectable by a static 
monitor if and only if, for all t € No, there exists a vector 
£(t) such that y(t) = C£(i). Notice that this condition is 
compatible with JTT), where an attack is detected if and only 
if the residual r(t) = y(i) — Cx(t) is nonzero for some t € No, 
where x(t) = C'y(t). In the following, let ||u||o denote the 
number of nonzero components of the vector v. 

Theorem 4.3: (Static detectability of cyber-physical at- 
tacks) For the cyber-physical descriptor system |3]l and an 
attack set K, the following statements are equivalent: 

(i) the attack set K is undetectable by a static monitor; 

(ii) there exists an attack mode Ujc(t) satisfying, for some 
x(t) and at every t E No, 



Cx{t) + D K u K {t) =0. 



(4) 



Moreover, there exists an attack set K, with \K\ = k E No, 
undetectable by a static monitor if and only if there exist x E 
1" such that ||Cx||o = k. 

Before presenting a proof of the above theorem, we high- 
light that a necessary and sufficient condition for the equation 
Q to be satisfied is that Dj^uxify — u y j((t) E Im(C) at 
all times t E N , where u Vt ic(t) is the vector of the last p 
components of Uic(t). Hence, statement (ii) in Theorem 4.3 
implies that no state attack can be detected by a static detection 
procedure, and that an undetectable output attack exists if and 
only if lm(D K ) n Im(C) ^ {0}. 

Proof of Theorem \4.3\ As previously discussed, the attack 
K is undetectable by a static monitor if and only if for each 
t E N there exists x(t), and UR-(t) such that 

r(t) - y(t) - C&y(t) = (I- Ctf) (Cx(t) + D K u K (t)) 

vanishes. Consequently, r(t) = (I — CC')DkUk (t), and the 
attack set K is undetectable if and only if DkUk^) E Im(C), 
which is equivalent to statement (ii). The last necessary and 
sufficient condition in the theorem follows from (ii), and the 
fact that every output variable can be attacked independently 
of each other since D = [0, J] . ■ 

We now focus on the static identification problem. Follow- 



Theorem 4.4: (Static identification of cyber-physical at- 
tacks) For the cyber-physical descriptor system <[3j and an 
attack set K, the following statements are equivalent: 

(i) the attack set K is unidentifiable by a static monitor; 

(ii) there exists an attack set R, with \R\ < \K\ and R ^ K, 
and attack modes Ufc(t), Uji(t) satisfying, for some x(t) 
and at every t E No, 

Cx(t) + D K + ««(*)) =0. 

Moreover, there exists an attack set K, with \K\ = k E No, 
unidentifiable by a static monitor if and only if there exists 
an attack set K, with \K\ < 2k, which is undetectable by a 
static monitor. 

Similar to the fundamental limitations of static detectability 



in Theorem 4.3 Theorem 4.4 implies that, for instance, state 



attacks cannot be identified and that an undetectable output 
attack of cardinality k exists if and only if Im(Z3 / --)nlm(C) ^ 
{0}, for some attack set K with \K\ < 2k. 

Due to linearity of the system 



Proof of Theorem 4.4 



the unidentifiability condition in Lemma 4.2 is equivalent to 
y{%K — %R> u k — URi t) = 0, for some initial conditions xk, 
xr, and attack modes UK(t), uji(t). The equivalence between 
statements (i) and (ii) follows. The last statement follows from 
Theorem 14.31 ■ 



B. Fundamental limitations of dynamic monitors 

As opposed to a static monitor, a dynamic monitor checks 
for the presence of attacks at every time t E M>o- Intuitively, 
a dynamic monitor is harder to mislead than a static monitor. 
The following theorem formalizes this expected result. 

Theorem 4.5: (Dynamic detectability of cyber-physical at- 
tacks) For the cyber-physical descriptor system |3]l and an 
attack set K, the following statements are equivalent: 

(i) the attack set K is undetectable by a dynamic monitor; 

(ii) there exists an attack mode Ujc(t) satisfying, for some 
x(0) and for every t E M>o, 

Ex(t) = Ax(t) + B K u K (t) , 
= Cx(t)+D K u K (t); 

(iii) there exist s E C, g E IR 1 ^ 1 , and x E K'\ with i^0, 
such that (sE - A)x - B K g = and Cx + D K g = 0. 

Moreover, there exists an attack set K, with \K\ = k, 
undetectable by a dynamic monitor if and only if there exist 
s e C and x e R" such that \\{sE - A)x\\ Q + \\Cx\\ = k. 



ing Lemma 4.2 the following result can be asserted. 



Before proving Theorem 4.5 some comments are in order. 
First, differently from the static case, state attacks can be 
detected in the dynamic case. Second, in order to mislead a 
dynamic monitor an attacker needs to inject a signal which 
is consistent with the system dynamics at every instant of 
time. Hence, as opposed to the static case, the condition 
Dkuk^) — Uy,i<(t) € Im(C) needs to be satisfied for every 
t E M>o, and it is only necessary for the undetectability of 
an output attack. Indeed, for instance, state attacks can be 
detected even though they automatically satisfy the condition 
DicUK{t) = E Im(C). Third and finally, according to 
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the last statement of Theorem |4.5| the existence of invariant 
zero^] for the system {E,A,Bk,C,Dk) is equivalent to 
the existence of undetectable attacks. As a consequence, a 
dynamic monitor performs better than a static monitor, while 
requiring, possibly, fewer measurements. We refer to Section 



verification scheme requires 



VI-B for an illustrative example of this last statement. 
Proof of Theorem 4.5- By Lemma |4. 1| and linearity of 



the system (FTl, the attack mode ux(t) is undetectable by 
a dynamic monitor if and only if there exists xq such that 
y(xo,UK,t) = for all t € M>o, that is, if and only if 
the system |3]l features zero dynamics. Hence, statements (i) 
and (ii) are equivalent. For a linear descriptor system with 
smooth input and consistent initial condition, the existence of 
zero dynamics is equivalent to the existence of invariant zeros 
| J34| Theorem 3.2 and Proposition 3.4]. The equivalence of 
statements (ii) and (iii) follows. The last statement follows 
from (iii), and the fact that B = [I, 0] and D = [0, J] . ■ 

We now consider the identification problem. 

Theorem 4.6: (Dynamic identifiability of cyber-physical 
attacks) For the cyber-physical descriptor system ([3]l and an 
attack set K, the following statements are equivalent: 

(i) the attack set K is unidentifiable by a dynamic monitor; 

(ii) there exists an attack set R, with \R\ < \K\ and R ^ K, 
and attack modes u R {t) satisfying, for some a:(0) 
and for every t £ M>o, 



Ex(t) 




Ax(t) 
Cx(t) 



B K u K (t) 
D K u K {t) 



B R u R (t) , 
■ D R u R (t) ; 



(iii) there exists an attack set R, with \R\ < \K\ and R ^ K, 
s € C, g K E g R € and x e R n , with 

x 0, such that (sE — A)x — Bxgx — B R g R = and 
Cx + D K g K + D R g R = 0. 
Moreover, there exists an attack set K, with \K\ = k <E No, 
unidentifiable by a dynamic monitor if and only if there exists 
an attack set K, with \K\ < 2k, which is undetectable by a 
dynamic monitor. 

Proof: Notice that, because of the linearity of the system 
the unidentifiability condition in Lemma |4~2] is equivalent 
to the condition u(xk — x r ,uk — u R ,t) — 0, for some 
initial conditions xk , Xr, and attack modes uk{£), u R (t). The 
equivalence between statements (i) and (ii) follows. Finally, 
the last two statements follow from Theorem |4.5| and the fact 
that B = [1, 0] and D = [0, /] . ■ 

In other words, the existence of an unidentifiable attack set 
K of cardinality k is equivalent to the existence of invariant 
zeros for the system (E, A, Bj^,C, D^), for some attack set 
K with | If | < 2k. We conclude this section with the following 
remarks. The existence condition in Theorem 3.4 is hard to 
verify because of its combinatorial complexity: in order to 
check if there exists an unidentifiable attack set K, with 
\K\ = k, one needs to certify the absence of invariant zeros for 
all possible 2fc-dimensional attack sets. Thus, a conservative 

2 For the system (E, A, Bjf , C, Dpc), the value s £ C is an invariant zero if 
there exists x £ R n , with i/0,j£ Rl x l, such that (sE-A)x-B K g = 
and Cx + E>k9 = 0. 



,,, j tests. In Section [vj we 
present intuitive graph-theoretic conditions for the existence of 
undetectable and unidentifiable attack sets for a given sparsity 
pattern of the system matrices and generic system parameters. 



Finally, Theorem 4.6 includes as a special case Proposition 4 
in p7| , which considers exclusively output attacks. 

C. Fundamental limitations of active monitors 

An active monitor uses a control signal (unknown to the 
attacker) to reveal the presence of attacks; see p4[ for the case 
of replay attacks. In the presence of an active monitor with 
input signal w(t) = [wj(t) Wy(t)] T , the system ([3]l reads as 

Ex(t) = Ax(t) + B K u K (t) + w x (t), 
y(t) = Cx(t) + D K u K {t) + w y (t). 

Although the attacker is unaware of the signal w(t), active 
and dynamic monitors share the same limitations. 

Theorem 4.7: (Limitations of active monitors) For the 
cyber-physical descriptor system (|3j, let w(t) be an additive 
signal injected by an active monitor. The existence of unde- 
tectable (respectively unidentifiable) attacks does not depend 
upon the signal w(t). Moreover, undetectable (respectively 
unidentifiable) attacks can be designed independently of w(t). 

Proof: For the system ([3J, let u(t) be the attack mode, 
and let w(t) be the monitoring input. Let y(x, u, w, t) denotes 
the output generated by the inputs u(t) and w(t) with initial 
condition x = x\ + x<i. Observe that, because of the linearity 
of ([3j, we have y(x, u, w, t) = y(xi,u, 0, t) + y(x2,0, w, t), 
with consistent initial conditions xi and x 2 . Then, an attack 
u(t) is undetectable if and only if y(x, u, w, t) — y(x, 0, w, t), 
or equivalently y(x\,u, 0, t) + y(x2 7 0, w, t) — y(xi,0, 0, t) + 
y(x2,0,w,t), for some initial conditions x and x — x\ + 
X2- The statement follows, since, from the equality above, the 
detectability of u(t) does not depend upon w(t). ■ 



As a consequence of Theorem 4.7 the existence of un- 
detectable attacks is independent of the presence of known 
control signals. Therefore, in a worst-case scenario, active 
monitors are as powerful as dynamic monitors. Since replay 
attacks are detectable by an active monitor [14], Theorem |4. 7 1 
shows that replay attacks are not worst-case attacks. 

Remark 2: (Undetectable attacks in the presence of state 



and measurements noise) The input w(t) in Theorem 4.7 may 
represent sensors and actuators noise. In this case, Theorem 
I4.7l states that the existence of undetectable attacks for a noise- 
free system implies the existence of undetectable attacks for 
the same system driven by noise. The converse does not hold, 
since attackers may remain undetected by injecting a signal 
compatible with the noise statistics. □ 

D. Specific results for index-one singular systems 

For many interesting real-world descriptor systems, includ- 
ing the examples in Section |ri-A| and |Tl-B| the algebraic system 
equations can be solved explicitly, and the descriptor system 
<(3j can be reduced to a nonsingular state space system. For 
this reason, this section presents specific results for the case of 
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index-one systems (37). In this case, without loss of generality, 
we assume the system <j3j to be written in the canonical form 



En 


0" 




±1 




'An 


Al2 




Xi 




~Bi~ 










±2_ 




A 2 i 


A 2 2_ 




X2_ 


+ 





U K (t), 



V(t) = [Ci C 2 



(5) 



D K u K (t), 



where En is nonsingular and A22 is nonsingular. Conse- 
quently, the state xi and X2 are referred to as dynamic state 
and algebraic state, respectively. The algebraic state can be 
expressed via the dynamic state and the attack mode as 



x 2 (t) 



-A 22 1 A 2 iXi{t) 



A 22 1 B 2 u K {t). 



(6) 



The elimination of the algebraic state X2 in the descriptor 
system <|3j leads to the nonsingular state space system 

xi = Eil ( A n - Ai2A 22 A 2 i) xi{t) 



E^{Bi~Ai 2 A 22 1 B 2 ) u K {t), 



(7) 



B 
1-1 



y(t) = (Ci - C 2 A 22 1 A 2 i) xi(t) + (D K - C 2 A 22 l B 2 ) u K (t). 



This reduction of the algebraic states is known as Kron 
reduction in the literature on power networks and circuit theory 
p8) . Hence, we refer to (7]) as the Kron-reduced system. 

Clearly, for any state trajectory xi(t) of the Kron-reduced 
system (7}, the corresponding state trajectory [xj(t) xJ(t)] T 
of the (non-reduced) cyber-physical descriptor system (3) can 
be recovered by identity (6) and given knowledge of the input 
UK{t). The following subtle issues are easily visible in the 
Kron-reduced system (15). First, a state attack affects directly 
the output y(t), provided that C^A^ B2UK{t) ^ 0. Second, 
since the matrix A 22 is generally fully populated, an attack on 
a single algebraic component can affect not only the locally 
attacked state or its vicinity but larger parts of the system. 

According to the transformations in (7j, for each attack set 
K, the attack signature (Bk,Dk) is mapped to the corre- 
sponding signature (Bk, Dk) in the Kron-reduced system. As 
an apparent disadvantage, the sparsity pattern of the original 
(non-reduced) cyber-physical descriptor system <j3j is lost in 
the Kron-reduced representation (7j), and so is, possibly, the 
physical interpretation of the state and the direct representation 
of system components. However, as we show in the following 
lemma, the notions of detectability and identifiability of an 
attack set K defined for the original descriptor system ([3]) 
are equivalent for the Kron-reduced system (7J. This property 
renders the low-dimensional and nonsingular Kron-reduced 
system (7J attractive from a computational point of view to 
design attack detection and identification monitors; see (39). 

Lemma 4.8: (Equivalence of detectability and identifiabil- 
ity under Kron reduction) For the cyber-physical descriptor 
system fij, the attack set K is detectable (respectively identi- 
fiable) if and only if it is detectable (respectively identifiable) 
for the associated Kron-reduced system Q. 

Proof: The lemma follows from the fact that the input and 
initial condition to output map for the system <|3j coincides 



with the corresponding map for the Kron-reduced system (7j) 
and equation (|6l. Indeed, according to Theorem 4.5 the attack 
set K is undetectable if and only if there exist s £ C, g £ 
Ml^l, and x = [xj xj] T £ R™, with x ^ 0, such that 

(sE - A)x - B K g = and Cx + D K g = . 

Equivalently, by eliminating the algebraic constraints as in (6), 
the attack set K is undetectable if and only if the conditons 

(si - A)xi - B K g = and Cxi + D K g = 

are satisfied together with X2 = —A 22 A2iXi — A 22 B2g. 
Notice that the latter equation is always satisfied due to 
the consistency assumption (A2), and the equivalence of 
detectability of the attack set K follows. The equivalence of 
attack identifiability follows by analogous arguments. ■ 

E. Attack detection and identification in presence of inconsis- 
tent initial conditions and impulsive attack signals 

We now discuss the case of non-smooth attack signal and 
inconsistent initial condition. If the consistency assumption 
(A3) is dropped, then discontinuities in the state x(t 4- 0) may 
affect the measurements y(t I 0). For instance for index-one 
systems, an inconsistent initial condition leads to an initial 
jump for the algebraic variable x 2 (t I 0) to obey equation d6). 
Consequently, the inconsistent initial value [0 T a;2(0) T ] T € 
Ker(E) cannot be recovered through measurements. 

Assumption (A4) requires the attack signal to be sufficiently 
smooth such that x(t) and y(t) are at least continuous. 
Suppose that assumption (A4) is dropped and the input u(t) 
belongs to the class of impulsive smooth distributions Cj mp = 
CsmoothUCp-imp, that is, loosely speaking, the class of functions 
given by the linear combination of a smooth function on E>o 
(denoted by C smoo th) and Dirac impulses and their derivatives 
at t = (denoted by C p _ imp ), see Q, (35] Section 2.4]. In this 
case, an attacker commanding an impulsive input u(0) € C lmp 
can reset the initial state x(0) and, possibly, evade detection. 

The discussion in the previous two paragraphs can be 
formalized as follows. Let V c be the subspace of points 
xq G M n of consistent initial conditions for which there exists 
an input u e C™ ooth and a state trajectoiy x € C™ mootb to the 
descriptor system (3]l such that y(t) = for all t g IR>o- Let 
Vd (respectively W) be the subspace of points x$ g E™ for 
which there exists an input u € C™^ p (respectively u £ C™^) 
and a state trajectory x € CJL, (respectively x £ C™ imp ) to the 
descriptor system (3]) such that y(f) = for all t £ M>o- The 
output-nulling subspace Vd can be decomposed as follows: 

Lemma 4.9: (Decomposition of output-nulling space $34\ 
Theorem 3.2 and Proposition 3.4])) V d = V c + W + Ker(E). 
In words, from an initial condition x(0) £ Vd the output can 
be nullified by a smooth input or by an impulsive input (with 
consistent or inconsistent initial conditions in Ker(£')). 

In this work we focus on the smooth output-nulling sub- 
space V c , which is exactly space of zero dynamics identified in 



Theorems 4.5 and 4.6 Hence, by Lemma 4.9 for inconsistent 
initial conditions, the results presented in this section are valid 
only for strictly positive times t > 0. On the other hand, if an 
attacker is capable of injecting impulsive signals, then it can 
avoid detection for initial conditions x(0) £ W. 
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V. Graph theoretic detectability conditions 

In this section we characterize undetectable attacks against 
cyber-physical systems from a structural perspective. In par- 
ticular we will derive detectability conditions based upon a 
connectivity property of a graph associated with the system. 
For ease of notation, we now drop the subscript K from Bk, 
Dk, and ux(t). 

A. Preliminary notions 

We start by recalling some useful facts about structured 
systems and structural properties (26), |40|. Let a structure 



matrix [M] be a matrix in which each entry is either a fixed 
zero or an indeterminate parameter. The system 



[E}x(t) = [A]x(t) + [B]u(t), 
y{t) = [C]x{t) + [D]u{t). 



(8) 



is called structured system, and it is sometimes referred to 
with the tuple ( [E] , [A] , [B] , [C] , [D] ) of structure matrices. 
A system (E, A, B,C, D) is an admissible realization of 
{[E], [A], [B], [C], [D]) if it can be obtained from the latter 
by fixing the indeterminate entries at some particular value. 
Two systems are structurally equivalent if they are both an 
admissible realization of the same structured system. Let d 
be the number of indeterminate entries of a structured system 
altogether. By collecting the indeterminate parameters into a 
vector, an admissible realization is mapped to a point in the 
Euclidean space R d . A property which can be asserted on a 
dynamical system is called structural if, informally, it holds 
for almost all admissible realizations. To be more precise, 
we say that a property is structural if and only if the set of 
admissible realizations satisfying such property forms a dense 
subset of the parameters spacer] For instance, left-invertibility 
of a nonsingular system is a structural property with respect 
to R d (4T). 

Consider the structured cyber-physical system (j8). It is often 
the case that, for the tuple (E, A, B, C, D) to be an admissible 
realization of |8j, the numerical entries need to satisfy certain 
algebraic relations. For instance, for (E, A, B, C, D) to be an 
admissible power network realization, the matrices E and A 
need to be of the form ([TJ. Let § C M. d be the admissible 
parameter space. We make the following assumption: 
(A4) the admissible parameters space § is a polytope of R d , 

that is, § = {16 M. d : Mx > 0} for some matrix M. 
It should be noticed that assumption (A4) is automatically 
verified for the case of power networks |20} Lemma 3.1]. 
Unfortunately, if the admissible parameters space is a subset 
of R d , then classical structural system-theoretic results are, in 
general, not valid pO] Section 15]. 

We now define a mapping between dynamical systems 
in descriptor form and digraphs. Let ([J5],[A],[S],[C],[D]) 
be a structured cyber-physical system under attack. We 
associate a directed graph G — (V, £) with the tuple 
([E],[A},[B},[C},[D]). The vertex set is V = U U X U y, 
where U = {ui, . . . ,u m } is the set of input vertices, X = 

3 A subset SCPC R d is dense in P if, for each r £ P and every e > 0, 
there exists s £ S such that the Euclidean distance \\s — r\\ < e. 




Fig. 2. WSSC power system with 3 generators and 6 buses. The numerical 
value of the network parameters can be found in 1 19]. 




Fig. 3. The digraph associated with the network in Fig. [2] The self-loops of 
the vertices {<5i , 82, S3}, {u>\ , u?2, W3}, and {81, ... , #5 jare not drawn. The 
inputs ui and 112 affect respectively the bus 64 and the bus b§. The measured 
variables are the rotor angle and frequency of the first generator. 



{x%, . . . , x n } is the set of state vertices, and y — {yi, . . . , y p } 
is the set of output vertices. If denotes the edge from 
the vertex i to the vertex j, then the edge set £ is Evm U 



£[A] u £r. 



U £[c] U £[ D j, 



[Eh 
[B]a 



^0}, 
^0}, 



with £ [E] = {(xj,Xi) 
£ [A] = {(xj,x l ) : [A]ij ^ 0}, £ [B ] = {(uj,Xi) 
£ [C] = {(%j,Vi) ■ [C]ij ¥= 0}, and £ [D] = : [D] VJ ^ 

0}. In the latter, for instance, the expression [E]^ 7^ means 
that the (i, j)-th entry of [E] is a free parameter. 

Example 1: (Power network structural analysis) Con- 
sider the power network illustrated in Fig. |2j where, 
being ej the i-th canonical vector, we take [E] = 
blkdiag(l, 1,1^1^2,^3, OA 0,0, 0,0), [B] = [e 8 e 9 ], 
[C] = [ei e 4 ] T , [D] = 0, and [A] equal to 
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112,12 - 



The digraph associated with the structure matrices 
( [E] , [A] , [B] , [C] , [D] ) is shown in Fig. g □ 
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B. Network vulnerability with known initial state 

We derive graph-theoretic detectability conditions for two 
different scenarios. Recall from Lemma 14.11 that an attack 
u(t) is undetectable if y(xi,u, t) — y(x2, 0, t) for some initial 
states xi and x<z- In this section, we assume that the system 
state is known at the failure initial timej^jso that an attack u(t) 
is undetectable if y(x ,u,t) = y(x o ,0,t) for some system 
initial state xq. The complementary case of unknown initial 
state is studied in Section IV-CI 

Consider the cyber-physical system described by the ma- 
trices (E, A, B,C, D), and notice that, if the initial state is 
known, then the attack undetectability condition y(xo,u,t) = 
y{xo, 0, t) coincides with the system being not left-invertible 
Recall that a subset S C W l is an algebraic variety if it 
coincides with the locus of common zeros of a finite number 
of polynomials [26]. Consider the following observation. 

Lemma 5.1: (Poly topes and algebraic varieties) Let S C 
R d be a polytope, and let T C R d be an algebraic variety. 
Then, either S C T, or S \ (S C\ T) is dense in S. 

Proof: Let T C R d be the algebraic variety de- 
scribed by the locus of common zeros of the polynomials 
{(t>i{x),...,4> t (x)}, with t G N, t < oo. Let P C R d 
be the smallest vector subspace containing the polytope S. 
Then P C T if and only if every polynomial <^ vanishes 
identically on P. Suppose that the polynomial <fii does not 
vanish identically on P. Then, the set T n P is contained in 
the algebraic variety {x £ P : <^>i(x) = 0}, and, therefore |26|, 
the complement P \ (P n T) is dense in P. By definition of 
a dense set, the set S \ (S D T) is also dense in S. ■ 



In Lemma 5.1 interpret the polytope S as the admissible 



parameters space of a structured cyber-physical system. Then 
we have shown that left-invertibility of a cyber-physical system 
is a structural property even when the admissible parameters 
space is a polytope of the whole parameters space. Conse- 
quently, given a structured cyber-physical system, either every 
admissible realization admits an undetectable attack, or there 
is no undetectable attack in almost all admissible realizations. 
Moreover, in order to show that almost all realizations have no 
undetectable attacks, it is sufficient to prove that this is the case 
for some specific admissible realizations. Before presenting 
our main result, we recall the following result. Let E and A 
be iV-dimensional square matrices, and let G(sE — A) be the 
graph associated with the matrix sE — A that consists of N 
vertices, and an edge from vertex j to i if Aij ^ or Eij ^ 0. 
The matrix s[E] — [A] is said to be structurally degenerate 
if, for any admissible realization E (respectively A) of [E] 
(respectively [A]), the determinant \sE — A\ vanishes for all 
s € C. Recall the following definitions from [41 1. For a given 
graph G, a path is a sequence of vertices where each vertex 
is connected to the following one in the sequence. A path is 
simple if every vertex on the path (except possibly the first 
and the last vertex) occurs only once. Two paths are disjoint 
if they consist of disjoint sets of vertices. A set of I mutually 



The failure initial state can be estimated through a state observer |19) . 
5 A regular descriptor system is left-invertible if and only if its transfer 
matrix G(s) is of full column rank for all almost all s £ C. o r if and only if 
rsE-A -Si has fuU column rank for a i most all s £ C (34| Theorem 4.2]. 



disjoint and simple paths between two sets of vertices 5i and 
S2 is called a linking of size I from S\ to S%. A simple path 
in which the first and the last vertex coincide is called cycle; 
a cycle family of size I is a set of I mutually disjoint cycles. 
The length of a cycle family equals the total number of edges 
in the family. 

Theorem 5.2: (Structural rank of a square matrix $2% ) 
The structure A^-dimensional matrix s[E] — [A] is structurally 
degenerate if and only if there exists no cycle family of length 
N in G(s[E] - [A]). 

We are now able to state our main result on structural 
detectability. 

Theorem 5.3: (Structurally undetectable attack) Let the 
parameters space of the structured cyber-physical system 
([£], [A], [B], [C], [D]) define a polytope in R d for some d G 
No. Assume that s[E] — [A] is structurally non-degenerate. The 
system ([E], [A], [B], [C], [D]) is structurally left-invertible if 
and only if there exists a linking of size \U\ from U to 3^- 



Theorem 5.3 can be interpreted in the context of cyber- 
physical systems. Indeed, since \sE — A\ ^ by assumption 
(Al), and because of assumption (A4), Theorem |5.3| states 
that there exists a structural undetectable attack if and only if 
there is no linking of size \U\ from U to y, provided that the 
network state at the failure time is known. 

Proof: Because of Lemma |5.1| we need to show that, if 
there are \U\ disjoint paths from U to y, then there exists 
admissible left-invertible realizations. Conversely, if there are 
at most \U\ — 1 disjoint paths from U to y, then every 
admissible realization is not left-invertible. 

(If) Let (E,A,B,C,D), with \sE - A\ ^0, be an 
admissible realization, and suppose there exists a linking of 
size \U\ from U to y. Without affecting generality, assume 
\y\ = \U\. For the left-invertibility property we need 

sE - A -B 



C 



D 



= \sE — A\\D + C(sE - A)~ B\ ^ 0, 



and hence we need \D + C(sE - A)~ 1 B\ ^ 0. Notice that 
D + C(sE — A)~ 1 B corresponds to the transfer matrix of 
the cyber-physical system. Since there are \U\ independent 
paths from U to y, the matrix D + C(sE — A)^ 1 B can be 
made nonsingular and diagonal by removing some connection 
lines from the network. In particular, for a given linking of 
size \U\ from U to y, a nonsingular and diagonal transfer 
matrix is obtained by setting to zero the entries of E and 
A corresponding to the edges not in the linking. Then there 
exist admissible left-invertible realizations, and thus the system 
([£], [A], [D], [C], [£>]) is structurally left-invertible. 

(Only if) Take any subset of \U\ output vertices, and let 
|W| — 1 be the maximum size of a linking from U to 3^- 



s[E]-[A] [B] 
[C] [D] 



Let [E] and [A] be such that s[E] - [A] 

Consider the previously defined graph G(s[E] — [A]), and 
notice that a path from U to y in the digraph associated with 
the structured system corresponds, possibly after relabeling the 
output variables, to a cycle in involving input/output vertices 
in G(s[E] — [A]). Observe that there are only \U\ — 1 such 
(disjoint) cycles. Hence, there is no cycle family of length 
N, being N the size of [A], and the statement follows from 
Theorem 
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To conclude this section, note that Theorem |5 . 3 1 extends 
to regular descriptor systems with constraints on parameters. 

C. Network vulnerability with unknown initial state 

If the failure initial state is unknown, then a vulnerability is 
identified by the existence of a pair of initial conditions x\ and 
a?2, and an attack u(t) such that y(xi,0, t) = y(x2,u,t), or, 
equivalently, by the existence of invariant zeros for the given 
cyber-physical system. We will now show that, provided that a 
cyber-physical system is left-invertible, its invariant zeros can 
be computed by simply looking at an associated nonsingular 
state space system. Let the state vector x of the descriptor 
system ([3]) be partitioned as [xj xJ] T , where x\ corresponds 
to the dynamic variables. Let the network matrices E, A, B, C, 
and D be partitioned accordingly, and assume, without loss of 
generality, that E is given as E = blkdiag^n, 0), where En 
is nonsingular. In this case, the descriptor model (|3]l reads as 

E llXl (t) = A n xi(t) + B x u{t) + A 12 x 2 (t) , 

= A 2lXl {t) + A 22 x 2 (t) + B 2 u(t) , (9) 
y(t) = C lXl {t) + C 2 x 2 (t) + Du{t) . 

Consider now the associated nonsingular state space system 
which is obtained by regarding x 2 (t) as an external input to 
the descriptor system Q and the algebraic constraint as output: 

- E^Anx^t) + E^Bmit) + E^A 12 x 2 {t), 



m 



Mi 
Ci 



Xl(t) 



A 22 
C 2 



B 2 
D 



x 2 (t) 
u(t) 



(10) 



Theorem 5.4: (Equivalence of invariant zeros) Consider 
the descriptor system ([3]) partitioned as in Assume that, for 
the corresponding structured system ([E], [A], [B], [C], [£>]), 
there exists a linking of size \U\ from U to y. Then, in almost 
all admissible realizations, the invariant zeros of the descriptor 
system |9) coincide with those of the associated nonsingular 
system ( fTO) . 

Proof: From Theorem |5.3| the structured descriptor sys- 
tem ([E], [A], [B], [C], [D]) is structurally left-invertible. Let 
(E, A, B, C, D) be a left-invertible realization. 



The proof now follows a procedure similar to 1 43 Proposi- 
tion 8.4]. Let s £ C be an invariant zero for the nonsingular 
system ( fTO) with state-zero direction x\ ^ and input-zero 
direction u, that is 



0" 




" si - E^Au 


—E\\A 12 


-E 11 1 B 1 







M\ 


A 22 


B 2 







c i 


c 2 


D 





Xi 




x 2 




u 
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,-1 



and a re-partioning of the resulting matrix yields 

x\ 
x 2 
u 



0" 




" sE n - An 


-A12 









-A 21 


-A 22 


-B 2 







Ci 


G 2 


D 



(11) 



-Psingular(s) 



Since x\ ^ 0, we also have x — [xj xJ] T ^ 0. Then, 
equation (JTTJ implies that s G C is an invariant zero of the 




Fig. 4. In the above network, there is no linking of size 2 from the input to 
the output vertices. Indeed, the vertices 8\ and uj\ belong to every path from 
{mi,«2} to {2/1,2/2}- Two input to output paths are depicted in red. 



descriptor system (|9]l with state-zero direction x ^ and 
input-zero direction u. We conclude that the invariant zeros 
of the nonsingular system ( fTO) are a subset of the zeros of the 
descriptor system ((9}. In order to continue, suppose that there 
is s € C which is an invariant zero of the descriptor system |9]) 
but not of the nonsingular system ( fT0| ). Let x = [xj a;J] T 7^ 
and u be the associated state-zero and input-zero direction, 
respectively. Since Ker(P singu i ar (s)) = Ker(P nonsingu i m -(s)) and 
s is not a zero of the nonsingular system ( fTO] ), it follows that 
x\ = and x 2 ^ 0. Accordingly, we have that 



Ker 



-An 
-A 22 
C 2 



-B x 
-B 2 
D 



It follows that the vector [0 

^singular 



,T1T 



lies in the nullspace of 
(s) for each s£C, and thus the descriptor system (9 
is not left-invertible. In conclusion, if the descriptor system ( 9 
is left-invertible, then its invariant zeros coincide with those 
of the nonsingular system ( fTO) . ■ 
It should be noticed that, because of Theorem |5.4[ under 
the assumption of left-invertibility, classical linear systems 
results can be used to investigate the presence of structural 
undetectable attacks in a cyber-physical system; see (41 1 for 
a survey of results on generic properties of linear systems. 

VI. Illustrative examples 

A. An example of state attack against a power network 

Consider the power network model analyzed in Example 
[T] and illustrated in Fig. [2] and let the variables 84 and 6 5 
be affected, respectively, by the unknown and unmeasurable 
signals ui(t) and u 2 {t). Suppose that a monitoring unit is 
allowed to measure directly the state variables of the first 
generator, that is, yi(t) — Si(t) and y 2 (t) = U)i(t). 

Notice from Fig. |4]that the maximum size of a linking from 



the failure to the output vertices is 1, so that, by Theorem 5.3 
there exists a structural vulnerability. In other words, for every 
choice of the network matrices, there exist nonzero Wi(t) and 
u 2 (t) that are not detectable through the measurementsr] 

We now consider a numerical realization of this system. 
Let the input matrices be B = [eg eg] and D = [0 0] T , the 

6 When these ouput-nulling inputs ui(t), U2(t) are regarded as additional 
loads, then they are entirely sustained by the second and third generator. 
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Fig. 5. The velocities UJ2 and u>z are driven unstable by the signals ui(t) 
and U2(t), which are undetectable from the measurements of uii and S±. 



measurement matrix be C = \e\ e^ 1 ' , and the system matrix 
A be as in equation {j} with M g = blkdiag(.125, .034, .016), 



D g = blkdiag(.125, .068, .048), and 
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Let Ui(s) and U2{s) be the Laplace transform of the attack 
signals ui(t) and U2(t), and let 

" -9.584s-3.531" 



'Ux(s)' 




U 2 {s)_ 





-1.024s*-5.121s' 3 -10.34s z 

s 4 +5s 3 +9.865s 2 +9.173s+3.531 
1 



U(s) 



for some arbitrary nonzero signal U(s). Then it can be verified 
that the failure cannot be detected through the measurements 
yi(t) and 1/2 (t)- In fact, Af(s) coincides with the null space 
of the input/output transfer matrix. An example is in Fig. [5] 
where the second and the third generator are driven unstable 
by the attack, but yet the first generator does not deviate from 
the nominal operating condition. 

Suppose now that the rotor angle of the first generator 
and the voltage angle at the 6-th bus are measured, that is, 
C = [ei ei2] T . Then, there exists a linking of size 2 from U 
to y, and the system (E, A, B, C) is left-invertible. Following 



Theorem 5.4 the invariant zeros of the power network can 
be computed by looking at its reduced system, and they are 
-1.6864 ± 1.8070i and -0.8136 ± 0.2258i. Consequently, 
if the network state is unknown at the failure time, there 
exists vulnerabilities that an attacker may exploit to affect the 
network while remaining undetected. Finally, we remark that 
such state attacks are entirely realizable by cyber attacks J22) . 

B. An example of output attack against a power network 

Let the IEEE 14 bus power network (Fig. [6]) be modeled as 
a descriptor system as in Section II-A Following fTT[ , let the 
measurement matrix C consist of the real power injections at 
all buses, of the real power flows of all branches, and of one 
rotor angle (or one bus angle). We assume that an attacker 
can compromise all the measurements, independently of each 
other, except for one referring to the rotor angle. 

Let k £ No be the cardinality of the attack set. It is known 
that an attack undetectable to a static detector exists if k > 4 
ijTTJ . In other words, due to the sparsity pattern of C, there 
exists a signal UK(t), with (the same) four nonzero entries 




Fig. 6. For the here represented IEEE 14 bus system, if the voltage angle 
of one bus is measured exactly, then a cyber attack against the measurements 
data is always detectable by our dynamic detection procedure. In contrary, as 
shown in |1 1| . a cyber attack may remain undetected by a static procedure if 
it compromises as few as four measurements. 




Fig. 7. This figure shows the structure of the EPANET water supply network 
model # 3, which features 3 tanks (Tx, T2, T3), 2 reservoirs (Ri, R2), 2 pumps 
(Pi, P2), 96 junctions, and 119 pipes. Seven pressure sensors (Si, . . . , S7) 
have been installed to monitor the network functionalities. A cyber-physical 
attack to steal water from the reservoir R2 is reported. Notice that the cyber- 
physical attack features two state attacks (mi, U2) and one output attack (113). 



at all times, such that DuK(t) E Im(C) at all times. By 



Theorem 4.3 the attack set K remains undetected by a Static 
Detector through the attack mode un{t). On the other hand, 



following Theorem 4.5 it can be verified that, for the same 
output matrix C, and independent of the value of k, there 
exists no undetectable (output) attacks for a dynamic monitor. 

It should be notice that this result relies on the fact that the 
rotor angle measurement is known to be correct, because, for 
instance, it is protected using sophisticated and costly security 
methods [1|. Since the state of the IEEE 14 bus system can 
be reconstructed by means of this measurement only (in a 
system theoretic sense, the system is observable by measuring 
one generator rotor angle), the output attack Du(t) is easily 
identified as Du(t) = y(t) — Cx(t), where x(t) = x(t) is the 
reconstructed system state at time t. 

C. An example of state and output attack against a water 
supply network 

Consider the water supply network EPANET 3 linearized 
at a steady state with non-zero pressure drops (44). The water 
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network model as well as a possible cyber-physical attack are 
illustrated in Fig. [7] The considered cyber-physical attack aims 
at stealing water from the reservoir R 2 while remaining unde- 
tected from the installed pressure sensors Si, . . . , S7. In order 
to achieve its goal, the attacker corrupts the measurements of 
sensor Si (output attack), it steals water from the reservoir R2 
(state attack), and, finally, it modifies the input of the control 
pump P 2 to restore the pressure drop due to the loss of water in 
R2 (state attack). We now analyze this attack in more details. 

Following the modeling in Section |II-B| an index-one de- 
scriptor model describing the evolution of the water network 
in Fig. [7] is computed. For notational convenience, let Xi(t), 
x 2 (t), x 3 (t), and x^lt) denote, respectively, the pressure at 
time t at the reservoir R 2 , at the reservoir Ri and at the 
tanks Ti, T 2 and T3, at the junction P 2 , and at the remaining 
junctions. The index-one descriptor model reads as 

" ±i{t) 1 [ 1 \xi(t)~ 

Mx 2 (t) A 22 A 2i x 2 (t) 

~ A 31 A 33 A 34 x 3 (t) ' 

J [ A i2 A 43 A44J [x i (t)_ 

where the pattern of zeros is due to the network interconnec- 
tion structure, and M = diag(l, Ai, A 2 , A 3 ) corresponds to 
the dynamics of the reservoir R x and the tanks Ti, T 2 , and 
T3. With the same partitioning, the attack signature reads as 
B = [Bi B 2 0] and D = [0 D x ], where 

Bi=[l 0] T ,S 2 =[0 1 0] T , and 

A = [1 ... 0] T . 

Let the attack u 2 {t) be chosen as u 2 (t) = — A 3 iX\(t). Then, 
the state variables x 2 , x 3 , and X4 are decoupled from x\. 
Consequently, the attack mode u\ does not affect the dynamics 
of x 2 , x 3 , and X4. Let ui(t) = — 1, and notice that the 
pressure xi(t) decreases with time (that is, water is being 
removed from R 2 ). Finally, for the attack to be undetectable, 
since the state variable x x is continuously monitored by Si, 
let u 3 (t) = —xi{t). It can be verified that the proposed 
attack strategy allows an attacker to steal water from the 
reservoir R 2 while remaining undetected from the sensors 
measurements. In other words, the attack (Bu(t), Du(t)), with 
u(t) = [uj(t) uj(t) uJ(t)] T , excites only zero dynamics for 
the water network system in Fig. [7] 

We conclude this section with the following remarks. First, 
for the implementation of the proposed attack strategy, neither 
the network initial state, nor the network structure besides A 31 
need to be known to the attacker. Second, the effectiveness 
of the proposed attack strategy is independent of the sensors 
measuring the variables x 3 and X4. On the other hand, if 
additional sensors are used to measure the flow between the 
reservoir R 2 and the pump P 2 , then an attacker would need 
to corrupt these measurements as well to remain undetected. 
Third and finally, due to the reliance on networks to control 
actuators in cyber-physical systems, the attack u 2 (t) on the 
pump P 2 could be generated by a cyber attack [22|. 

VII. Conclusion 

For cyber-physical systems modeled by linear time-invariant 
descriptor systems, we have analyzed fundamental limitations 



of static, dynamic, and active attack detection and identifi- 
cation monitors. We have rigorously shown that a dynamic 
detection and identification monitor exploits the network dy- 
namics and outperforms the static counterpart, while requiring, 
possibly, fewer measurements. Additionally, we have shown 
that active monitors have the same limitations as passive 
dynamic monitors. Finally, we have described graph theoretic 
conditions for the existence of undetectable and unidentifiable 
attacks. These latter conditions exploit the system intercon- 
nection structure, and they hold for almost all compatible nu- 
merical realizations. In the companion paper p9| we develop 
centralized and distributed attack detection and identification 
monitors. 
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